Resolve dependabots #158
Resolve dependabots #158
Conversation
Bumps [black](https://github.com/psf/black) from 23.10.1 to 24.3.0. - [Release notes](https://github.com/psf/black/releases) - [Changelog](https://github.com/psf/black/blob/main/CHANGES.md) - [Commits](psf/black@23.10.1...24.3.0) --- updated-dependencies: - dependency-name: black dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [idna](https://github.com/kjd/idna) from 3.3 to 3.7. - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst) - [Commits](kjd/idna@v3.3...v3.7) --- updated-dependencies: - dependency-name: idna dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [gunicorn](https://github.com/benoitc/gunicorn) from 20.1.0 to 22.0.0. - [Release notes](https://github.com/benoitc/gunicorn/releases) - [Commits](benoitc/gunicorn@20.1.0...22.0.0) --- updated-dependencies: - dependency-name: gunicorn dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [werkzeug](https://github.com/pallets/werkzeug) from 2.3.3 to 3.0.3. - [Release notes](https://github.com/pallets/werkzeug/releases) - [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst) - [Commits](pallets/werkzeug@2.3.3...3.0.3) --- updated-dependencies: - dependency-name: werkzeug dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [jinja2](https://github.com/pallets/jinja) from 3.1.3 to 3.1.4. - [Release notes](https://github.com/pallets/jinja/releases) - [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst) - [Commits](pallets/jinja@3.1.3...3.1.4) --- updated-dependencies: - dependency-name: jinja2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
updated-dependencies: - dependency-name: requests dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
| @@ -1,5 +1,5 @@ | |||
| -r requirements.txt | |||
| black==23.10.1 # Also update `.pre-commit-config.yaml` if this changes | |||
| black==24.3.0 # Also update `.pre-commit-config.yaml` if this changes | |||
There was a problem hiding this comment.
You need to also update the .pre-commit-config.yaml file please
| @@ -2,7 +2,7 @@ clamd==1.0.2 | |||
| Flask==2.3.2 | |||
| celery[sqs]==5.2.6 | |||
| Flask-HTTPAuth==4.8.0 | |||
| gunicorn==20.1.0 | |||
| gunicorn==22.0.0 | |||
There was a problem hiding this comment.
A little bit cautious on this one. The changelog says
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
I think this says we have to send requests to gunicorn using HTTP/1.1 and can't send requests using HTTP/2
The bit that worries me is that our load balancers do have HTTP/2 enabled
You can see that on the Attributes tab for a given load balancer in our AWS account.
Technically, antivirus doesn't have a load balancer so there isn't HTTP/2 turned on, sending requests to the antivirus. This is because antivirus isn't available to the public internet and instead requests are sent directly between apps (not currently sure which version of HTTP they use). But if we were to merge this PR, it might be OK, but it also might not be (and we may not be able to do the equivalent for our other apps that do have external load balancers).
Or it might all be fine... depends somewhat on the internal workings of our AWS infra...
There was a problem hiding this comment.
requests is a lib specific to http 1.1 (first line of the docs - https://requests.readthedocs.io/en/latest/#)
There was a problem hiding this comment.
my only concern around gunicorn might relate to alphagov/notifications-api#3871
BUT
we don't use worker_class = "eventlet" in antivirus, so it's probably fine?
i think i'm okay merging this but something to keep an eye on for a day or two
|
Going to close this in favour of defining more of these dependencies in utils. |
Closes #148
Closes #151
Closes #152
Closes #153
Closes #154
Closes #156
🚨⚠️ This will be deployed automatically all the way to production when you click merge ⚠️ 🚨
For more information, including how to check this deployment on preview or staging first before it goes to production, see our team wiki section on deployment